aws-cdk-lib/aws-stepfunctions-tasks: Issue with incorrectly generated IAM policy. #30862

msaphire · 2024-07-15T15:17:57Z

Describe the bug

I am working on writing a CDK based step function with a task to call 'tagresources' on an EFS access point:

const tagAccessPoint = new CallAwsService(this, 'TagAccessPoint', {
            stateName: 'Tag access point',
            service: 'efs',
            action: 'tagResource',
            iamResources: ['*'],
            parameters: {
                ResourceId: JsonPath.stringAt('$.pathToArn'),
                Tags: [
                    {
                        Key: "MYTAGNAME",
                        Value: JsonPath.stringAt('$.pathToId')
                    }
                ]
            },
            resultPath: JsonPath.DISCARD
        })

Produces an incorrect a IAM policy snippet.

Expected Behavior

It should be (ref):

{
    "Action": "elasticfilesystem:tagResource",
    "Resource": "*",
    "Effect": "Allow"
}

Current Behavior

Produces:

{
    "Action": "efs:tagResource",
    "Resource": "*",
    "Effect": "Allow"
}

Which is incorrect, it should be (ref):

Reproduction Steps

Create the following task as part of a CDK defined state machine:

const tagAccessPoint = new CallAwsService(this, 'TagAccessPoint', {
            stateName: 'Tag access point',
            service: 'efs',
            action: 'tagResource',
            iamResources: ['*'],
            parameters: {
                ResourceId: JsonPath.stringAt('$.pathToArn'),
                Tags: [
                    {
                        Key: "MYTAGNAME",
                        Value: JsonPath.stringAt('$.pathToId')
                    }
                ]
            },
            resultPath: JsonPath.DISCARD
        })

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.147.2

Framework Version

No response

Node.js Version

20

OS

macOS

Language

TypeScript

Language Version

TypeScript (5.4.2)

Other information

No response

ashishdhingra · 2024-07-15T17:45:48Z

Reproducible using below code:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';

export class Issue30862Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
      stateName: 'Tag access point',
      service: 'efs',
      action: 'tagResource',
      iamResources: ['*'],
      parameters: {
        ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
        Tags: [
            {
                Key: "MYTAGNAME",
                Value: sfn.JsonPath.stringAt('$.pathToId')
            }
        ]
      },
      resultPath: sfn.JsonPath.DISCARD
    });

    const stateMachine = new sfn.StateMachine(this, 'MyStateMachine', {
      definition: callAwsServiceTask.next(new sfn.Succeed(this, "GreetedWorld"))
    });
  }
}

Running cdk synth generates the following CloudFormation template:

Resources:
  MyStateMachineRoleD59FFEBC:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: states.amazonaws.com
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/Resource
  MyStateMachineRoleDefaultPolicyE468EB18:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: efs:tagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
      Roles:
        - Ref: MyStateMachineRoleD59FFEBC
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
  MyStateMachine6C968CA5:
    Type: AWS::StepFunctions::StateMachine
    Properties:
      DefinitionString:
        Fn::Join:
          - ""
          - - '{"StartAt":"Tag access point","States":{"Tag access point":{"Next":"GreetedWorld","Type":"Task","ResultPath":null,"Resource":"arn:'
            - Ref: AWS::Partition
            - :states:::aws-sdk:efs:tagResource","Parameters":{"ResourceId.$":"$.pathToArn","Tags":[{"Key":"MYTAGNAME","Value.$":"$.pathToId"}]}},"GreetedWorld":{"Type":"Succeed"}}}
      RoleArn:
        Fn::GetAtt:
          - MyStateMachineRoleD59FFEBC
          - Arn
    DependsOn:
      - MyStateMachineRoleDefaultPolicyE468EB18
      - MyStateMachineRoleD59FFEBC
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Resource
...

Per TagResource, the operation requires permissions for the elasticfilesystem:TagResource action.

Possible root cause:

Per code here, it uses ${iamService}:${props.action} to add IAM policy action.
- iamService is resolved here based on condition iamServiceMap[props.service] ?? props.service.
- iamServiceMap perhaps maintains list of services having mapping to service names, for scenarios where props.service doesn't map to service name (like in current scenario). In current implementation, the logic would fall back to using props.service, which is efs.

Possible fix:
Possible fix is to add mapping efs: 'elasticfilesystem' to iamServiceMap here.

WorkAround:
Explicitly specify CallAwsServiceProps.iamAction as elasticfilesystem:TagResource. Verifies using code below:

const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
      stateName: 'Tag access point',
      service: 'efs',
      action: 'tagResource',
      iamResources: ['*'],
      iamAction: 'elasticfilesystem:TagResource',
      parameters: {
        ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
        Tags: [
            {
                Key: "MYTAGNAME",
                Value: sfn.JsonPath.stringAt('$.pathToId')
            }
        ]
      },
      resultPath: sfn.JsonPath.DISCARD
    });

and it works:

...
  MyStateMachineRoleDefaultPolicyE468EB18:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: elasticfilesystem:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
      Roles:
        - Ref: MyStateMachineRoleD59FFEBC
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
...

ishon19 · 2024-07-16T12:57:26Z

Hi @ashishdhingra, I would like to work on this issue!

ashishdhingra · 2024-07-16T15:04:07Z

Hi @ashishdhingra, I would like to work on this issue!

@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)

ishon19 · 2024-07-16T15:08:17Z

@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)

Yeah, sure! =)

github-actions · 2024-07-29T19:53:00Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions · 2024-07-29T19:53:01Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

msaphire added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2024

github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jul 15, 2024

ashishdhingra self-assigned this Jul 15, 2024

ashishdhingra added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2024

ashishdhingra added effort/small Small work item – less than a day of effort p3 and removed needs-reproduction This issue needs reproduction. labels Jul 15, 2024

ashishdhingra removed their assignment Jul 15, 2024

ashishdhingra added the good first issue Related to contributions. See CONTRIBUTING.md label Jul 15, 2024

ashishdhingra self-assigned this Jul 18, 2024

ashishdhingra mentioned this issue Jul 18, 2024

fix(stepfunctions-tasks): fix the generated IAM policy for EFS operations #30896

Merged

1 task

This was referenced Jul 22, 2024

Weekly issue metrics report #30913

Closed

Weekly issue metrics report #30915

Closed

mergify bot closed this as completed in #30896 Jul 29, 2024

mergify bot closed this as completed in 31808b4 Jul 29, 2024

github-actions bot locked as resolved and limited conversation to collaborators Jul 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-cdk-lib/aws-stepfunctions-tasks: Issue with incorrectly generated IAM policy. #30862

aws-cdk-lib/aws-stepfunctions-tasks: Issue with incorrectly generated IAM policy. #30862

msaphire commented Jul 15, 2024

ashishdhingra commented Jul 15, 2024

ishon19 commented Jul 16, 2024

ashishdhingra commented Jul 16, 2024

ishon19 commented Jul 16, 2024

github-actions bot commented Jul 29, 2024

github-actions bot commented Jul 29, 2024